.comment: Leveraging Linux

Due Diligence

November 14, 2001

By
Dennis E. Powell

There will probably be no .comment column the week after the first negligence suit is
filed against a firm whose negligent action is the use of Microsoft software when they
should have known better, with the result being a client's confidential documents having
become public.

It is difficult to type when one is laughing oneself into a total thoracic muscle
cramp. And I'm not sure I'll be able to get it out of my system in a week.

But seriously, folks . . .

I got to thinking about this when I learned that a law firm I know is about to embrace
Outlook as its email client. One need to have paid only very little attention over the
last couple of years to know that if one wishes to keep a secret, one does not want it
ever to pass through Outlook or to reside on a machine where Outlook is ever used. (The
firm gets its IT services from an outside outfit, which typically means someone for whom
it was an MSCE or the Army, and the Army said no. There are exceptions, but in my
experience there is not a dimmer string of bulbs on the planet than that made up of MSCE
certificants.) It will be no particular surprise to hear that confidential client
documents have hitched a ride out of the firm on some SirCam variant.

Wonder if the crackerjacks hired by the law firm know to turn off, and if they do, how
to turn off, IIS. If not, there's another little surprise that could give a cracker hours
of amusement. (Microsoft is going into the game box business; for many persons of
malicious intent, Microsoft has been in the game box business all along.)

Now we get news that there is a vulnerability in Internet Explorer which allows
unauthorized persons either locally or elsewhere to mine confidential data from
cookies. I've long railed against cookies, claiming that they are a monstrous potential
security hole, and now Microsoft has removed the word "potential" from that
claim. Microsoft claimed under oath that Internet Explorer is so crucial to its operating
system that its operating system won't work without it. This means that the vulnerability
is as hard-coded as it gets. (Microsoft says that the fix is to turn off scripting. This
renders useless sites designed specifically for IE. Serves 'em right.)

And that's all before we get into the really juicy stuff.

It got some note last year, but it's worth revisiting the study, Cyber Threats and
Information Security, released last December by the highly regarded Center for Strategic
and International Studies. The study's authors -- and there isn't a lightweight among them
-- noted that Microsoft's computers containing source code, had been cracked, and
said:

"There are several recent examples of how formerly industry-specific concerns
have risen -- or have the potential to rise -- to the level of national security
concerns. Perhaps the most recent example is the admission by Microsoft that hackers had
broken into their systems and accessed next-generation Windows software that was not only
unreleased, but not yet even announced. A profound concern to both private and public
entities becomes whether or not any of these products will be trustworthy once they are
released. It is doubtful that the millions (sometimes billions) of lines of code required
to power Microsoft's products could readily be sanitized. "

Let's see. What would, a year ago, have been referred to as "next-generation
Windows software"? Why, it's XP! What CSIS is saying, without coming right out and
saying it, is that there could be all sorts of back doors inserted into the XP code
without anyone beyond the cracker, least of all Microsoft, knowing about it. What they're
also saying, and this time they do come right out and say it, is that Microsoft's software
is therefore a national security risk.

Now, there is a concept in the law called "due diligence," and what it
means, basically, is the ability to prove that one knows all that he or she (or it, in the
case of a firm) can reasonably be expected to know. It is required in many securities
transactions, corporate reports, and the like. It can be offered as an affirmative defense
in negligence suits.

And I think I have demonstrated above that it would not be a very effective defense in
a case in which the negligent act came in entrusting confidential data to unsecure
Microsoft software. But I repeat myself; the phrase "unsecure Microsoft
software" is redundant.

When that lawsuit comes, the effects will be widespread and instant. Engineers call it
the "pucker factor," and without getting too descriptive let me describe it as
the phenomenon in which, because of fear, the chair tends to remain attached to its
occupant even after the occupant stands up. There will be a mad scramble to eliminate
exposure to liability resulting from the use of Microsoft products. At which point there
is likely to be considerable job turnover in the IT industry.